`--scope machine` for zip install type incorrectly inherits permissions

[playday3008]

Brief description of your issue

Using zigtools.zls as an example. Folder where winget unpacks files itself have correct permissions, but all files inside that folder, doesn't. Files and folders inside will incorrectly inherit (or do not inherit at all, IDK) permissions.

That will cause for non admin users inability to access/use anything what was installed in “machine” scope, which breaks whole purpose of installing machine-wide

Steps to reproduce

winget install --scope machine -e --id zigtools.zls

Expected behavior

Full permission inheritance (achieved manually by disabling and enabling back inheritance):

Actual behavior

Partial permission inheritance:

Environment

Windows Package Manager v1.7.11261
Copyright (c) Microsoft Corporation. All rights reserved.

Windows: Windows.Desktop v10.0.22631.3593
System Architecture: X64
Package: Microsoft.DesktopAppInstaller v1.22.11261.0

Winget Directories
-----------------------------------------------------------------------------------------------------------------------
Logs                               %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\Diag…
User Settings                      %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\sett…
Portable Links Directory (User)    %LOCALAPPDATA%\Microsoft\WinGet\Links
Portable Links Directory (Machine) C:\Program Files\WinGet\Links
Portable Package Root (User)       %LOCALAPPDATA%\Microsoft\WinGet\Packages
Portable Package Root              C:\Program Files\WinGet\Packages
Portable Package Root (x86)        C:\Program Files (x86)\WinGet\Packages
Installer Downloads                %USERPROFILE%\Downloads

Links
---------------------------------------------------------------------------
Privacy Statement   https://aka.ms/winget-privacy
License Agreement   https://aka.ms/winget-license
Third Party Notices https://aka.ms/winget-3rdPartyNotice
Homepage            https://aka.ms/winget
Windows Store Terms https://www.microsoft.com/en-us/storedocs/terms-of-sale

Admin Setting                             State
--------------------------------------------------
LocalManifestFiles                        Disabled
BypassCertificatePinningForMicrosoftStore Disabled
InstallerHashOverride                     Disabled
LocalArchiveMalwareScanOverride           Disabled

[github-actions[bot]]

Hi I'm an AI powered bot that finds similar issues based off the issue title.

Please view the issues below to see if they solve your problem, and if the issue describes your problem please consider closing this one and thumbs upping the other issue to help us prioritize it. Thank you!

Open similar issues:

• Permission Denied when installed via --scope machine (#4172), similarity score: 0.79
• Standard user cannot use globally installed zipped portable package installed by another user (#2993), similarity score: 0.77

Note: You can give me feedback by thumbs upping or thumbs downing this comment.

[playday3008]

How to fix for those who wonder

Manually

Steps (using my example):

1. Right click on folder C:\Program Files\WinGet\Packages\zigtools.zls_Microsoft.Winget.Source_8wekyb3d8bbwe.
2. Click Security tab.
3. Click Advanced button.
4. Click Change permissions button.
5. Check checkbox Replace all child object permission entries with inheritable permission entries from this object.
6. Click OK button.
7. Confirm by clicking Yes.
8. Click OK button.

PowerShell

$winget_machine_package_roots = $(winget --info) -match '^Portable Package Root (?:\(x86\))? +(.+)$'
$winget_machine_package_roots = $winget_machine_package_roots | Select-String '^Portable Package Root (?:\(x86\))? +(.+)$'
$winget_machine_package_roots = $winget_machine_package_roots | ForEach-Object {$_.Matches.Groups[1].Value}
$winget_machine_package_roots | ForEach-Object {
    $acl = Get-Acl $_
    $acl.SetAccessRuleProtection($true, $true)
    Get-ChildItem -Path $_ -Directory | ForEach-Object {
        Set-Acl -Path $_.FullName -AclObject $acl
    }
}